Taj El-khayat, Area VP EMEA South, Vectra AI, explains how on-premises security and cloud security are different beasts on require different approaches.
‘What you don’t know can’t hurt you’ is a perplexing adage. Images of wandering barefoot around a dark cellar strewn with mousetraps are enough to discredit it. And yet, even as headlines highlight the dangers of ignorance in cybersecurity, some apparently still trust their toes will make it through, intact. Every security professional from Abu Dhabi to Rabat knows that is wishful thinking at best.
It is hard to capture the extent to which Middle East security teams have been incapacitated due to lack of visibility into their environments. One way might be to invoke 19th-Century schoolmaster Edwin A. Abbott’s satirical novella, Flatland. SOC professionals are but line segments and polygons trying to wrap their two-dimensional heads around the cubes and pyramids of the cloud, multi-cloud and hybrid environments of the modern IT setup. In other words, they are blind, confused and powerless.
On-premises security and cloud security are different beasts, the saddling of which may look similar – less risk, safe data, compliant infrastructure. But the methods employed to secure each vary wildly. The cubic space of the cloud is orders of magnitude more complex than the 2D flatland of on-premises architecture. But Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS) and serverless computing environments are often managed by those trained in on-premises environments. And therein lies the problem.
DMZs and S3s without TLC
For example, a current environment may use Azure for running Windows applications, AWS or Google Cloud for large-scale Web apps or advanced analytics and an on-premises cloud for compliance-sensitive data storage and operations. The SOC has to ensure its team is versed in each platform, but many non-technical decision makers appear to think the additional work created for IT and security teams by multiple clouds is less than it really is. Each cloud comes with its own unique attack surface. Double the number of clouds and you nearly double the knowledge and labor required to protect the IT stack.
When operating a physical data centre, organisations generally define a DMZ in which a range of security protocols are enforced. Monitoring is tight and authentication rules are strict, so it is easy to predict the inbound and outbound routes an adversary would have to use for successful infiltration and exfiltration. If the workloads fulfilled by this same data centre were to be migrated to the cloud, its DMZ becomes more logical in its implementation, often leading to holes in the very protections it delivered while on site. The act of migration has introduced vulnerabilities straight out of the gate and rectifying these flaws is not a simple proposition. Managing a cloud-hosted DMZ requires specialised expertise that on-premises security architects often do not possess.
For example, Amazon Web Services (AWS) uses a public resource called Simple Storage Service (S3) to store data in objects rather than files. Since these objects are meaningless outside their S3 bucket, they are considered safe. However, if an attacker gained access to the bucket, they could read or exfiltrate content without the tenant ever knowing. This AWS problem is just one on-going issue in a range of issues that plague multi-tenant cloud setups. Attackers can travel inroads and out-roads in scenarios that would be flagged in on-premises environments but escape the notice of cloud tenants.
Update fate
Remember that every service in the cloud is endowed with its own features and controls. Some of these allow external communication that can go unnoticed. Cybersecurity teams must allow for each of them and devise ways to monitor each, apply policies to each and block each if necessary. This is a mammoth task in a hybrid, multi-cloud environment and even if the SOC can somehow accomplish it, another challenge pops up.
Updates. Cloud providers ‘improve’ their services in a steady stream, tweaking tools and adding new ones or changing default settings and policies from restrictive to permissive. Let us assume for a moment that the provider informs the tenant of every change in a timely fashion. Each addition is still a potential vulnerability. Something somewhere that used to be a security hole but was plugged by the security team may be rendered unsafe again by an update. Also, the team will have to attend to the flaws introduced to new and existing services that the organisation does not even use because attackers can still leverage them to gain access. It is staggering how many real-world breaches can be tied back to flaws introduced as part of an update.
It is worth circling back to the on-premises model for some scenario comparison. If an organisation had full control over the data centre, with a physical DMZ in place and a team that thoroughly understood the inner workings of all OSes and platforms, what would happen at update time? First, neither the CIO nor the CISO would install applications that were unnecessary. Shadow IT notwithstanding, both tech teams would ensure the suite is composed only of useful components. Of course, on-premises data centres suffer from update backlogs, where known vulnerabilities remain unpatched because of a lack of resources and disagreement on priorities.
Your lightbulb moment
What you can’t see can wound you deeply. Tiptoeing around mousetraps is no substitute for replacing the lightbulb. SOCs must gain a broad and deep understanding of the differences between on-prem and cloud operations. Hybrid and multi-cloud have become the norm across the region’s IT setups. This irreversible trend calls for a measured strategy. Allowing each business unit to choose its own cloud without close consultation with IT and the SOC is a recipe for complexity and inevitable catastrophe. Instead, remember that each cloud is associated with its own risk and workload. Attackers rub their hands with glee at the mousetrap opportunities exposed by cloud-inflated attack surfaces. Do not make their life any easier by wandering around with the light off.
Click below to share this article
